Professional Documents
Culture Documents
October 2010
2010 First Data Corporation. All trademarks, service marks and trade names referenced in this material are the property of their respective owners.
Protecting against the theft of customer data Preventing unauthorized use of consumer data in fraudulent transactions
In both cases, there are tools and services available for even the smallest merchants to reduce the costs of defending against these threatsenabling retailers to pursue eCommerce revenue opportunities without assuming excessive fraud risks or employing time-consuming manual practices.
firstdata.com
page 2
Even worse, the total eventual damage to an online business can be even greater. Data breaches produce unwelcome publicity that can have a severe negative impact on a retail organizations brand and reputation. The damage from a data breach often extends well beyond losing the trust of only those customers directly impacted by the incidentand negative public perceptions can persist for years after a breach. One of an eCommerce businesss primary responsibilities related to data security and fraud management is the requirement to comply with the Payment Card Industry Data Security Standard (PCI-DSS), which is a set of obligations mandated by card networks to help protect consumers personal information. These PCI requirements pertain to how the data is stored, accessed, and handled by a business. Organizations that store account information are required to certify that they are in compliance with PCI standards. This certification process, which must be done periodically, can be expensive and time-consuming. Large numbers of small- and medium-sized merchants are somewhat bewildered by PCI compliance, according to a July 2009 survey conducted by ControlScan, the National Retail Federation and the PCI Knowledge Base. The standard is meant to keep their customers data safer but understanding it has proven difficult for small merchants, asserts the groups research report.4 Fortunately, there are services and solutions available to help eCommerce merchants both avoid data breaches and achieve cost-effective PCI compliance. These services assess the overall cardholder data environment, recommend ways to minimize compliance costs, protect transmitted data, and conduct annual audits to maintain compliance. In addition, service providers can help merchants implement innovative new approaches to data security, such as tokenization and end-to-end encryption (see First Datas white paper, A Primer on Payment Security Technologies: Encryption and Tokenization, for more information on this topic). Data security and PCI compliance services are often available from payment processors, and these services can be well worth the investment. Large payment processing companies handle enormous amounts of personal data, and they must maintain the highest standards of compliance to stay in business. Outsourcing data security to organizations equipped to manage it can reduce the cost and burden of maintaining PCI compliance certification.
PCI-DSS compliance is one important step toward maintaining secure eCommerce operations. According to a recent study, retailers that experienced a data breach were 50 percent less likely to be PCI compliant than the overall merchant population.5 However, it is important to note that PCI-DSS is narrowly focused on keeping stored data from being hacked or compromised. Complying with PCI-DSS does not prevent identity thieves from using data already compromised from another source. While providing a more secure transaction environment and helping to reduce the overall quantity of stolen card data in circulation, compliance with PCIDSS does not protect the merchant from accepting potentially fraudulent transactions at checkout.
firstdata.com
page 3
1.
firstdata.com
page 4
2.
3.
With these powerful fraud management capabilities, online retailers of all sizes can efficiently: g g g g determine what levels of risk are acceptable for various products, order profiles, shopping behaviors, and other combinations of factors adjust rules and logic as needed, based on evolving fraud patterns easily categorize all orders, ideally including a resolution procedure that flows in-line with the payment process streamline administrative processes during the entire life cycle of a transaction
By integrating fraud management tools into checkout processes, even small eCommerce businesses are empowered. Fraud management becomes an intuitive, practical, controllable business process.
firstdata.com
page 5
Using a combination of these factors can be especially beneficial for merchants engaging in international eCommerce, where factors like address verification are unreliable by themselves. An algorithm calculates a numerical score based on a weighted point system assigned to each rule like those listed above. For example, if the first rule (IP address) is triggered, it may add 50 points to the score. And if the third rule (e-mail address in a negative database) is triggered, it may add another 250 points to the score. Each score is then matched against a merchants profile settings to determine how the transaction is to be resolved or reviewed. Risk scoring parameters enable near-instantaneous analytical and workflow results. Online retailers should select a fraud solution provider that allows simple and frequent adjustments to scoring parameters, based on a merchants preferences and ability to review transactions manually. Different businesses can set up widely varying scoring parameters and order resolution rules to address their specific needs. For example: g g g
A seller may deem requests for overnight delivery of heavy items or high-quantity items to be an order that requires review, while overnight delivery of one small camera is considered completely normal. Items that are considered staples or commodity products may have less rigid rules than luxury items, such as electronics and jewelry, which are more likely to appeal to fraudsters. An airline could set up stricter fraud policies for holiday flights or international destinations.
Risk assessment reports help analyze the effectiveness of manual reviews, and spot opportunities to eliminate costly review practices when analysis shows them to be unnecessary. According to one study, merchants ultimately accept over 70 percent of the orders they manually review, and 57 percent of merchants accept 90 percent or more of manually reviewed orders.7 To cut review costs, merchants may prefer to limit manual reviews to suspicious transactions exceeding certain dollar thresholds, which can vary by product, geography, or other parameters. With these sophisticated yet user-friendly capabilities, merchants of all sizes can significantly bolster their defenses against the high costs of fraudulent transactions.
2010 First Data Corporation. All rights reserved. firstdata.com page 6
The following illustration shows how the scoring and assessment process can work in real time as a transaction is being processed.
Accept
Manual Review
Reject
Figure 1. This is a simplified illustration of how a transaction scoring and assessment process can become an automated part of processing any on-line transaction. Note that in a real instance there may be hundreds of questions and factors that go into evaluating the risk of a transaction. Also, a good automated risk assessment system should provide merchants with flexibility around the actions they can take based on scoring.
pending review queue for too long are automatically processed to avoid the expiration of an authorization. This gives the merchant complete resolution of each transaction with minimal manual involvement. By making scoring-based transaction fraud detection an integral part of the entire payment processing function, merchants are capable of assessing the risk of transactions faster and more accurately, and are able to do this with much less investment of their staff time. Overall, they can focus on appealing to new customers, and rewarding their good customers, while eliminating time spent on the bad.
Even without putting a fraud expert on the payroll, an eCommerce operation can take steps to effectively minimize the risks of transaction fraud at checkout. Advanced fraud management services are fast, flexible, and affordable. Even small online retailers can utilize sophisticated, real-time risk assessment as an integral part of the checkout process, and lay a foundation of security best practices on which their business can grow. Online retailers should consider implementing these best practices: g g Deploy a combination of end-to-end encryption and tokenization to simplify PCI compliance and protect customers payment card data from being stolen and used fraudulently. Make sure all employees understand the risks of card-not-present transactions. Compensate for the lack of in-store controls with real-time screening using both payment information and anti-fraud intelligence from other sources.
firstdata.com
page 8
g g g
Enable proactive security measures. Dont accept fraud as just another cost of doing business. Every eCommerce merchant can wield the power to detect and stop most attempts to make fraudulent online purchases. Configuring the right kind of fraud logic in the early stages of your business can help you avoid problems later. Leverage as many tools as are available to you through your payment provider and other resources. Experiment with the use of automated order screening early on, when transaction volume is low and suspicious behavior anomalies are more easily recognized. Constantly re-evaluate the risk settings and resolution rules that will catch most fraud attempts without requiring many transactions to be reviewed or denied. Participate in forums, webinars, and other shared experiences with fellow merchants; in many ways, collaboration is the greatest advantage we have against fraud.
Additionally, for support and guidance on the nuances of fraud management, eCommerce merchants should talk to their payments processor. g g g g Ask how to use both payment and non-payment information to detect fraud and gain visibility into shopper behavior. Get recommendations on how to define rules that effectively assess order risk and determine the appropriate resolution of each order. Find out what level of support to expect in implementing industry best practices for reporting, scoring, order resolution and scoring parameters. Find out if the payment processors solution has a user-friendly workflow for resolving transactions and managing chargebacks and reversals.
For additional information about PCI compliance, data security, and automating fraud detection as part of a payment processing solution, contact First Data or visit our website at FirstData.com.
firstdata.com
page 9
Sources
1 2 3
Javelin Strategy & Research. Online Retail Payments Forecast 2010-2014, February 2010 The Green Sheet. The Worldwide Fraud Web Exposed, April 22, 2010
PGP Corporation and Ponemon Institute. Ponemon Study Shows the Cost of a Data Breach Continue to Continues to Increase, January 5, 2010
ControlScan, National Retail Federation, and PCI Knowledge Base. What Small Merchants Know (and Dont Know) about PCI Compliance, August 2009
4 5 6 7
Verizon Business. Verizon 2010 Payment Card Industry Compliance Report, September 2010. LexisNexis Risk Solutions. U.S. Retailers Face $191 Billion in Fraud Loses Each Year, November 9, 2009 CyberSource. Online Fraud Report, 11th annual edition, 2010
firstdata.com
page 10
The Global Leader in Electronic Commerce First Data powers the global economy by making it easy, fast and secure for people and businesses around the world to buy goods and services using virtually any form of payment. Serving millions of merchant locations and thousands of card issuers, we have the expertise and insight to help you accelerate your business. Put our intelligence to work for you.
2010 First Data Corporation. All rights reserved. All trademarks, service marks and trade names referenced in this material are the property of their respective owners.
firstdata.com
page 11